Security Features in Microsoft Exchange Hosted Services

Security Features in
Microsoft Exchange Hosted Services

Technical Overview

Published: November 2008


The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication.

This White Paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT.

Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

Unless otherwise noted, the companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted in examples herein are fictitious. No association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred.

Ó 2008 Microsoft Corporation. All rights reserved.

Microsoft, Active Directory, ActiveX, Outlook, SharePoint, Windows, and Windows Server are trademarks of the Microsoft group of companies.

All other trademarks are property of their respective owners.

Contents

Security for Hosted Products 1

Security for the Hosting Environment 1

Key Architecture Design Points 1

Physical Security 2

Fault-Tolerance & Redundancy 2

Operations and Personnel Security 2

Privacy 3

Application-level Security 3

Secure Application Design 3

Security Features 3

Security for Hosted Products

Security for the Hosting Environment

The Microsoft® Exchange Hosted Services environment is composed of computers, operating systems, applications and services, networks, operations and monitoring equipment, and specialized hardware, along with the administrative and operations staff required to run and maintain the service. The environment also includes the physical operations centers that house the solution and which themselves must be secured against malicious and accidental damage.

Key Architecture Design Points

Defense in Depth

Microsoft Exchange Hosted Services is designed to provide Defense in Depth, preventing the failure of any one level from compromising the security of the entire environment. The Defense in Depth layers include:

Filtering Routers

Filtering routers reject attempts to communicate to non-routable IP addresses. This helps to prevent common attacks that use “drones” or “spiders” searching for vulnerable servers. Although relatively easy to block, these types of attacks remain a favorite method of hackers in search of weaker defenses.

Firewalls

Firewalls restrict data communication to known and authorized ports, protocols, and destination IP addresses. Firewalls also perform packet inspection, which helps to ensure that the actual contents of the packets contain data in the expected format and conform to the expected communication scheme.

Intrusion Detection Systems

The service uses network-based intrusion detection systems (IDS) to perform real-time monitoring of incoming and outgoing traffic, looking for anomalies in the usual patterns for delivering services. The hosted environment is monitored 24x7 and generates immediate notification of detected inappropriate activity, which is then analyzed and corrective action is taken, if necessary. IDS performs protocol analysis and can be used to detect a variety of attacks and probes, such as port scans and attempts to communicate using inappropriate IP address ranges.

Windows Security Patch Management

Windows Security Patch management is an integral part of operations and is necessary to ensure systems are immune to known vulnerabilities. Microsoft Exchange Hosted Services utilizes Windows Server Update Services (WSUS) to manage the distribution and installation of Windows security patches.

Monitoring

Security is monitored with the aid of centralized monitoring, correlation, and analysis systems that proactively manage the large amount of information generated by devices within the environment, providing pertinent and timely monitoring and alerts.

Network Segmentation

At the interface with the public network, Microsoft uses special-purpose security devices for firewall, NAT, and IP filtering functions. Functions at this layer include Denial of Service (DOS) blocking, Intrusion Detection Systems (IDS), Secure Sockets Layer (SSL), and initial access validation.

The back-end network is made up of partitioned LANs for Web and applications servers, data storage, and centralized administration. These servers are grouped into private address segments behind the load balancers.

Service Administration Access

Since all Microsoft Exchange Hosted Services data center deployments are “lights-out” managed, administrative access to the networks are conducted over 128-bit encrypted communication channels and require dual-factor authentication.

Physical Security

Physical security goes hand-in-hand with virtual or software-based security measures, and similar risk assessment and risk mitigation procedures apply to each.

Microsoft Exchange Hosted Services are delivered to customers through a network of global data centers, each designed to run 24 x 7, and each employing various measures to help protect operations from power failure, physical intrusion, and network outages. These data centers comply with industry standards for physical security and reliability; are managed, monitored, and administered by Microsoft operations staff; and are geographically dispersed.

Microsoft uses highly secured access mechanisms, limited to a very small number of operations personnel, who must regularly change their administrator access passwords. Data center access, and authority to open data center access tickets, is controlled by the network operations director in conjunction with local data center security practices.

Fault-Tolerance & Redundancy

Microsoft Exchange Hosted Services is designed to be fault-tolerant and redundant. From geographically diverse data center deployments to clustered server farms, all aspects of the service provide for fault-tolerance and redundant service.

Service Redundancy

Each layer of the infrastructure is designed to continue operations in the event of failure, including redundant network devices at each layer and dual internet service providers at each data center. The network is monitored by the Network Operations Center 24x7x365 to detect any anomalies or potential network issues.

Data Center Redundancy

Microsoft data centers feature automated failover that can rapidly transfer operations to alternative, geographically separate data centers if this becomes necessary. Failover is transparent, requiring no intervention from customers while service is resumed.

Operations and Personnel Security

Incident response:

Microsoft Exchange Hosted Services has personnel manning a Network Operation Center 24 x 7. The procedures to follow in the event of a security breach are documented and made available to the Operations personnel. In the event of a security incident a full communication plan has also been put in place.

Privacy

Microsoft regards personal information as private and will take reasonable and customary measures to appropriately handle personally identifiable information.

Personal information on the Microsoft Exchange Hosted Services will only be collected, processed, and transferred with the consent of the customer, including as described per our contractual obligations or as required under applicable law.

Microsoft (and all of our U.S. subsidiaries) is Safe Harbor certified with the U.S. Department of Commerce. This allows for legal transfer of data to Microsoft for processing from within European Union and countries with aligned data protection laws. For enterprise customers, Microsoft acts as the data processor and, to the extent of the Service’s capabilities, decisions regarding data usage are made by the data controller.

For information about specific data handling practices on Microsoft Exchange Hosted Services, please refer to the privacy statement, located here:

http://go.microsoft.com/fwlink/?LinkID=101332

Microsoft services and products are built in accordance with Microsoft Trustworthy Computing Initiative’s published privacy guidelines, available here:

http://www.microsoft.com/downloads/details.aspx?FamilyId=C48CF80F-6E87-48F5-83EC-A18D1AD2FC1F&displaylang=en

Application-level Security

In addition to data center, network, and personnel security practices, Microsoft Exchange Hosted Services incorporates various security practices at the application layer to help ensure a secure experience for all customers. This includes both how the application is developed and features within the application that are available to the administrators of the service.

Secure Application Design

New applications and existing applications under change are reviewed for compliance to the Security Development Lifecycles management and the Trustworthy Computing efforts currently exercised at Microsoft prior to go-live date.

The reviews include threat models, code reviews and remediation plans. Testing of remediations is conducted prior to Release to Operations for deployment

Security Features

Microsoft Exchange Hosted Services includes many security options beyond the core anti-spam and antivirus technologies provided by the service. Collectively, they provide administrators with many options to further ensure data and privacy.

Password Enforcement (Authentication)

Microsoft Exchange Hosted Services allows administrators to enable any of 10 password policy enforcement options, such as password expiration and password strength. Administrators can also set organization-level password rules to ensure enforcement for existing domains and domains added in the future

Rights and Roles (Authorization)

The service defines a set of access rights which are required for users and other entities to perform certain operations (e.g. Review or Share an archived message). Built in user roles are defined which are granted a certain set of access rights (eg. the Supervisor role can review archived messages for a subordinate). Administrators can assign one or more user roles to a given user. In addition custom roles can be defined and assigned to users.

Every operation in the service has two steps of authorization enforcement:

–  Action Authorization: Checks if the user/component can perform the specified action

–  Resource Authorization: Checks if the user/component can access the specified resource

Auditing and Impersonation

All administrative operations are audited. The audit trail can be viewed to determine the history of any particular change.

User to user Impersonation is supported so that (if they know the users’ credentials) an administrator can log on as that user and be subject to the same set of access rights as the user being impersonated. During impersonation the audit logs show changes as being done by the actual user with extra information to show which user they are impersonating.

Application Access Restrictions

Administrators can restrict end user quarantine access to a specified IP or IP range. Administrator access to the admin center can also be restricted to a specified IP or IP range.

Policy Enforcement

The Microsoft Exchange Hosted Services policy filter is a robust tool that allows administrators to regulate and monitor their email traffic. Policy rules to block EXE, VBS, PIF, and SCR files in email will be automatically created for every new domain and can be further edited as needed. The policy filter’s Forced TLS action allows administrators to ensure server to server encryption for certain email based on the email’s sender, recipient, text in subject or body, or attachment. Content inspection includes the detection of sensitive content, such as specific file names or patterns (e.g., social security numbers, credit card numbers). Message-level encryption is available and requires subscription to Exchange Hosted Encryption.

Directory Services and EHS Directory Synchronization Tool

Directory Services is an optional feature of the service, but one that is highly recommended. The primary use of the Directory Services is recipient validation, which ensures that only inbound email destined to valid recipients on the domain is accepted. The Microsoft Exchange Hosted Services Directory Synchronization Tool makes it easy to share directory information in Active Directory with Directory Services. SSL encryption is used for all communications to and from Microsoft. The local (client-side) administrator credentials for the EHS Directory Synchronization Tool are encrypted.

Security Features in Exchange Hosted Services 4